Created attachment 351435[details]
Private advisory sent to Mozilla
Billy Rios from Microsoft Vulnerability Research reported this issue to the security@m.o. alias. I will attach the PoC testcase momentarily, which crashes both Firefox 3.0.4 and Trunk on Windows. The testcase did not produce a crash on Mac or Linux.
From the report:
The proof of concept causes a reproducible crash in FireFox3.
It appears that this crash occurs in MOZCRT19!memcpy, which
eventually causes a write AV in xul!NS_CycleCollectorForget.
The root cause of this issue seems to be a large number of
"(" characters following the "Style" attribute (the "{"
character will work as well). The rest of the stuff in the
file is just an attempt for me to find out exactly what I
control.

Yes.
(The only reason I'd expect a platform difference is platform differences in stack size and the size of the stack frame for the function in question.)
If anyone has any evidence of a bug other than stack overflow, feel free to reopen, but...